Operation Endgame Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations
International law enforcement agencies, coordinated by Europol and Eurojust, executed a major crackdown on the infrastructures supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and the Elysium botnet. The operation, part of the ongoing Operation Endgame, resulted in the takedown of over 1,025 servers and the seizure of 20 domains used to control and distribute these malware families. Authorities also arrested the main suspect behind VenomRAT in Greece, and the dismantled infrastructure included hundreds of thousands of infected computers and millions of stolen credentials, with many victims unaware of the compromise. The operation involved law enforcement from at least nine countries and was supported by numerous private sector partners, including cybersecurity firms and threat intelligence organizations.
Rhadamanthys, a modular information stealer sold as malware-as-a-service, and VenomRAT, a commodity RAT favored by threat actors like TA558, were both widely distributed through email campaigns, malvertising, and other vectors. The Elysium botnet, less well-documented, was also linked to these operations, potentially serving as a proxy network for criminal activity. The disruption has caused significant operational issues for cybercriminals, with many reporting loss of access to their command-and-control panels and servers. Authorities have advised potential victims to check if their systems were compromised and to take remediation steps, as the takedown is expected to have a substantial impact on the cybercrime ecosystem.
Timeline
Nov 13, 2025
Law enforcement and partners notify victims and criminal users
Following the takedown announcement, authorities and partners directed potential victims to breach-checking and compromise-notification services and said they had contacted users of the criminal services. The outreach was intended both to help exposed victims and to generate investigative leads on operators and customers.
Nov 13, 2025
Authorities publicly announce Rhadamanthys, VenomRAT, and Elysium disruption
On November 13, 2025, Europol and partner agencies publicly revealed the latest Operation Endgame takedowns affecting Rhadamanthys, VenomRAT, and the Elysium botnet. Officials also said the main infostealer suspect had access to more than 100,000 cryptocurrency wallets potentially worth millions of euros.
Nov 13, 2025
Operation Endgame seizes 1,025 servers and 20 domains
International law enforcement dismantled infrastructure used by Rhadamanthys, VenomRAT, and Elysium, taking down 1,025 servers and seizing 20 domains. Europol said the infrastructure had infected hundreds of thousands of computers and was tied to several million stolen credentials.
Nov 11, 2025
Rhadamanthys operators lose access to servers
Customers and operators of the Rhadamanthys malware-as-a-service platform lost access to their servers during the law enforcement disruption. Reporting indicated the developer suspected German law enforcement involvement after seeing German IP connections.
Nov 10, 2025
Searches conducted across Germany, Greece, and the Netherlands
Law enforcement carried out coordinated searches at 11 locations in Germany, Greece, and the Netherlands during the action days of Operation Endgame. These searches took place between November 10 and 14, 2025.
Nov 10, 2025
Operation Endgame begins new action phase
A new phase of Operation Endgame began on November 10, 2025, targeting infrastructure tied to the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet. The multinational effort was coordinated by Europol and Eurojust.
Nov 3, 2025
Police arrest key VenomRAT suspect in Greece
Authorities arrested a main suspect linked to VenomRAT in Greece as part of Operation Endgame. Multiple reports place the arrest on November 3, 2025, ahead of the broader public announcement of the operation.
May 23, 2025
Operation Endgame Season 2 officially launches
Operation Endgame "Season 2" was officially launched as a renewed international effort to disrupt botnet infrastructure and the operators behind it. Spamhaus said it supported the action with victim account remediation, while law enforcement and partners coordinated the broader campaign.
May 30, 2024
Operation Endgame first announced against major botnets
A coalition of international law enforcement agencies announced the original Operation Endgame on May 30, 2024, targeting major botnets including IcedID, SmokeLoader, SystemBC, Pikabot, and Bumblebee. The action marked the initial public launch of the multinational botnet disruption effort later followed by Season 2.
Jan 1, 2022
Rhadamanthys infostealer first observed
Proofpoint described Rhadamanthys as a malware-as-a-service infostealer first seen in 2022, used to steal credentials, financial data, and system information. It later became a tool used by multiple cybercriminal actors across email, web-inject, and malvertising campaigns.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Sources
5 more from sources like cso online, bleeping computer, cyberthrone, the record media and proofpoint threat insight blog
Related Stories
Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity. In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
3 weeks ago
ResolverRAT, LummaStealer, and Amadey Linked in Multi-Tool Cybercrime Campaign
Researchers tied **ResolverRAT**, **LummaStealer**, and an **Amadey** botnet cluster to an active financially motivated campaign that has operated since at least late 2025 and uses fake browser update lures, staged loaders, and legitimate remote management tools for persistence. One analyzed chain used a Donut-decrypted, triple-protected `.NET` loader to deliver both ResolverRAT and LummaStealer at once, combining persistent remote access with credential and cryptocurrency wallet theft. The malware used layered obfuscation including .NET Reactor, custom transformations, AES-256-CBC, GZip, process hollowing, fragmented WinAPI reconstruction, forged compile timestamps, encrypted resource blobs, and certificate pinning, while operators rotated infrastructure across dozens of IPs, multiple domains, and hosting providers in Russia, the Netherlands, Germany, Poland, and elsewhere. Investigators also identified a fake Microsoft-themed domain, **pat[.]microsoft-telemetry[.]at**, and newly activated infrastructure such as **kampf[.]huehnchenfarm[.]ru** tied to the same ecosystem. A parallel March 2026 investigation linked the **fbf543** Amadey campaign to more than 50 payloads spanning at least 13 malware families, including Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and LummaStealer, with delivery through fake installers and hosting on infrastructure centered on **Omegatech LTD (AS202412)** and related abusive networks. Analysts found that the operators also abused nine legitimate, signed RMM tools from **ConnectWise, DattoRMM, Atera, GoToResolve, and N-able**, configuring them to beacon to attacker-controlled relays rather than compromising the vendors themselves. A separate Go-based loader unpacked LummaStealer with AES, RC4, and QuickLZ before hollowing **AppLaunch.exe**, reinforcing a playbook built around stealthy loaders, infostealer deployment, redundant access channels, and monetization consistent with an initial access broker or ransomware affiliate operation.
1 weeks ago
Multiple malware campaigns using compromised websites and phishing lures to deliver RATs and stealers
Threat actors are using **compromised or spoofed websites** to trick victims into executing malware, with lures ranging from fake browser updates to counterfeit security-software download pages. Recorded Future’s Insikt Group reported that financially motivated **GrayCharlie** (overlapping with **SmartApeSG**) compromised multiple U.S. law-firm WordPress sites—potentially via a shared IT/marketing provider—and injected externally hosted JavaScript that redirected visitors to **bogus update pages** or **fake CAPTCHA** flows. Victims were prompted to run a PowerShell command via the Windows Run dialog, leading to **NetSupport RAT** installation and follow-on delivery of **Stealc** and **SectopRAT**; the operation’s infrastructure was noted as being supported by **MivoCloud** and **HZ Hosting Ltd.** Separately, Malwarebytes-linked reporting described a **typosquatting** campaign impersonating the Huorong antivirus site (`huoronga[.]com` vs. `huorong.cn`) to distribute **ValleyRAT** (built on the **Winos4.0** framework), attributed to the Chinese-speaking **Silver Fox APT**; the payload was routed through an intermediary domain and hosted on **Cloudflare R2**, with a ZIP masquerading as Huorong (`BR火绒445[.]zip`). In a different region and access vector, Group-IB reported Iran-linked **MuddyWater** running **Operation Olalampo** against MENA targets using **phishing emails** with malicious Office documents/macros to deploy new tooling including **GhostFetch** (dropping **GhostBackDoor**) and **CHAR** (a Rust backdoor controlled via a **Telegram bot**), plus variants using **HTTP_VIP** to deploy *AnyDesk*; the campaign also leveraged recently disclosed vulnerabilities on public-facing servers for initial access.
1 months ago